#!/bin/bash
## kola:
##   exclusive: false
##   description: Verify that there are no file/directory with
##     SetGID bit set, except the known files and directories.

set -xeuo pipefail

# shellcheck disable=SC1091
. "$KOLA_EXT_DATA/commonlib.sh"

# List of known files and directories with SetGID bit set
# Drop '/usr/libexec/openssh/ssh-keysign' after
# https://src.fedoraproject.org/rpms/openssh/c/b615362fd0b4da657d624571441cb74983de6e3f?branch=rawhide
# is in all OS.
list_setgid_files=(
    '/usr/bin/write'
    '/usr/libexec/openssh/ssh-keysign'
    '/usr/libexec/utempter/utempter'
)

unknown_setgid_files=""
while IFS= read -r -d '' e; do
    found="false"
    for k in "${list_setgid_files[@]}"; do
        if [[ "${k}" == "${e}" ]]; then
            found="true"
            break
        fi
    done
    if [[ "${found}" == "false" ]]; then
        unknown_setgid_files+=" ${e}"
    fi
done< <(find /usr /etc -type f -perm /2000 -print0 -o -type d -perm /2000 -print0)

if [[ -n "${unknown_setgid_files}" ]]; then
    echo "SetGID:${unknown_setgid_files}"
    fatal "found files/directories with SetUID/GID bit set"
fi
ok "no unknown file/directory with SetUID/GID bit set"
